AllixD Firewall Script

From SlackWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

I use this. It does not allow any incoming data, so it's no good for NFS servers.

#!/bin/sh

IPT="/usr/sbin/iptables"

# Let's make sure forwarding is DISABLED:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps

# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Let's ignore PINGs which have been BROADCAST:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Let's disable source routed packets as they are ridiculous:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Let's flush-out all the chains in our tables:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Let's delete every non-builtin chains in our tables:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

# Let's set our INPUT policy to DROP:
$IPT -P INPUT DROP

# Let's set our OUTPUT policy to ACCEPT, because we can
# appreciate this kinda flexibility on a Home PC:
$IPT -P OUTPUT ACCEPT

# Let's accept incoming packets which belong to connections
# that have ALREADY been initiated:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let's allow all packets initiating new connections LOCALLY:
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT

# Let's log every packet that reaches this rule, right before
# it hits our INPUT policy and gets a DROP:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

# Let's load the module allowing Connection Tracking for FTP:
/sbin/modprobe ip_conntrack_ftp

# Let's load the module allowing Connection Tracking for IRC:
/sbin/modprobe ip_conntrack_irc

# No rc.firewall script is complete without the ubiquitous echo:
echo "So let it be written. So let it be done."